On Wed, Mar 11, 2015 at 20:16:09 CET, Martin, David K. wrote:
> I have a question about dmcrypt. If the MK digest is the output of SHA1,
> wouldn't the master key be the weakest point the the setup? SHA1 one only
> provide 80 bits of security and that can't be changed.
First, sha1 provides 160 bits for the use at hand. Second, the
master key is derived from /dev/(u)random and as good as the platform
allows. And third, the MK digest is the result of 1000 iterations of
pbkdf2 with sha1.
I do not follow your argument at all.
> All an attacker have to do is seek a collision in SHA1 to get the master
> key..
No. An attacker has to _reverse_ sha1, which is far, far harder.
Against reversing, SHA1 is secure at this time.
> There would be absolutely no point in going after the password
> especially if you use a 512 bit hash like SHA512 or WHIRLPOOL. Those two
> provide 256 bits of security. The 80 bits of security for the master key is
> the weak point in the setup.
Seriusly, they would _not_ be more secure. In fact, a longer hash
would possibly leak _more_ of the master key. As SHA1 has only
160 bits, it could not leak more than 160 bits of a 256 bit or 512 bit
key. At the same time SHA512 could leak the full key.
>> Am I understanding that right?
Sorry, but not at all. You should look again at what specific
scenarios SHA1 is broken for. The use in cryptsetup is not among
them. All breaks of sha1 at this time need at least to know one
input, but usually have to _selevt_ both inputs to sha1. In
cryptsetup for the MK hash, the unoyt is unknown to the attacker
and cannot be selected by the attacker either.
Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier